Yeah, it's possible to get it to work with password managers. I believe it has to do with ensuring the password field still exists on the page when the username is shown.
This is what I've done too. I've tried a bunch of other keyboards from F-Droid, but haven't been 100% happy with any of them. So I'm using GBoard still with all network permissions disabled.
I don't think WebAuthn protects against cookie theft. WebAuthn better protects the login process. But if the result of the login process is still a session/auth cookie, that can be stolen like any other cookie.
I do the two profiles on mine as well. The Google profile isn't allowed to run in the background so it's only active when I'm using an app that really needs it. Down to just a single app now that needs it.
Software cracks leaving a calling card isn't unheard of. Companies before have been caught out before with names of cracking groups showing up in their files.
Edit: found the article I was thinking of. Turns out it was Microsoft themselves!
It's mostly a power efficiency thing. Before push notifications were the norm, most apps used a polling method. They had the application send a request every X seconds asking "anything new". There wasn't coordination between apps, so even every app checked once every 30s, it likely wouldn't be on the same 30s. This caused the device to wake up a lot and never let it switch into low power mode.
A push notifications system like FCM or UnifiedPush means only a single application needs to run in the background. It maintains a persistent connection to the push notification service and waits for a message. When it receives one it wakes up the relevant app and passes it the details.
Signal does have a fallback if FCM is unavailable. It supposedly uses slightly more battery, but I can't say I noticed it. I've swapped to using Molly which is a fork of Signal which implements UnifiedPush (among some other features).
I've never worked directly with FCM, but that's my understanding of the issue. I don't know about WhatsApp. But it may do the same thing as Signal where the notification is just a wake up call and then the app connects directly to the WhatsApp servers to get the actual message.
Anything using FCM will be effected. UnifiedPush which I mentioned I don't believe has an option to encrypt notification content either. Using it you'd already at least have the option of using a provider with a better privacy policy or self hosting it.
The issue lies with Google's FCM (Firebase Cloud Messaging) system, so it's not something GrapheneOS can really fix. As far as I know FCM doesn't offer a way to encrypt notification content. Some apps like Signal work around this by instead of sending the message content, they send a little "wake up" notification. This tells Signal on your phone to wake up and it goes and retrieves the new message.
If you don't install Google Play Services, you won't be impacted. But you'll also not get notifications for most applications. There is an alternative push notification system called UnifiedPush which allows you to choose any server to handle your notifications (and even self host it). But it does require both the service and the app to support it, so it's not very wide spread yet.
Yes it's possible. From my very basic understanding of it there's two ways Google can verify devices, using software or dedicated hardware. As long as Google continues to accept the software check you can root and still pass. Google can't reject the software results without cutting off a large number of older or cheaper phones. There's no way to get around the hardware check as far as I know.
The GrapheneOS team strongly recommend against rooting devices. Google Wallet doesn't support them as they won't pass Google's Safety Net. Never tried to root a GrapheneOS device so not sure if it's possible to force a pass.
I did see that one a few weeks ago. I haven't tried it out yet. I keep forgetting to try installing it when I'm around my computer (to manually extract the glide-typing library).
I have been using GrapheneOS on a 7 Pro since the start of the year and it's been great.
Similar to you I'm trying to degoogle. I've got Google Play Services installed only in a secondary profile which isn't allowed to run in the background. So it's only ever able to run when I absolutely need it. Down to only one app now that requires it, so can hopefully remove it completely soon.
On my primary profile I do still have a few Google apps. Namely Google Camera (GrapheneOS is still in the process of getting full parity with it) and GBoard (haven't found a open source one I like as much yet). Both of them I've denied any network access, so they can't do any tracking at all.
I haven't had any stability issues since I switched. The updates have been pretty frequent and very seamless.
I've swapped to using it since I switched to GrapheneOS. Only apps I've got using it so far are Tusky (Mastodon), Molly (Signal fork with UnifiedPush), and some of my self hosted stuff which allows for web hooks.
I really hope it catches on in more apps. Especially as their library has automatic fallback to Google's service.
Signal doesn't encrypt notifications from what I understand. It uses Google/Apples notification system like everything else. But the notification only says "Hey, wake up!". Then the Signal app goes and retrieves the message from Signal's servers. That retrieval will be encrypted, but it's outside the push notification system at the point.
It's not about it being locked. It's being able to re-lock it after unlocking. You can unlock it, flash something like GrapheneOS on to it and then re-lock it. If it's left unlocked, then anyone with a few minutes access to your phone could flash anything over the top allowing them to bypass the standard protections, install any app as at the system level.
This is what I do as well and it's been working great for me.